openclaw + hermes: auto-mint ScrapeCreators API key via existing run_github_auth() at first run

[mvanhorn]

Problem

The auto-auth flow that mints a ScrapeCreators API key from a GitHub identity already exists in this repo. run_github_auth() at skills/last30days/scripts/lib/setup_wizard.py:491 tries gh auth token first (PAT path), falls back to GitHub device flow, and returns {"status": "success", "method": "pat|device", "api_key": "sc_..."}. It is wired to the CLI as:

python3 skills/last30days/scripts/last30days.py setup --github

Neither of the two main agent entry points actually fires this flow during onboarding when SCRAPECREATORS_API_KEY is missing:

• OpenClaw: run_openclaw_setup() at skills/last30days/scripts/lib/setup_wizard.py:208 probes and reports keys.scrapecreators: false, then stops. The metadata.openclaw.requires.env: [SCRAPECREATORS_API_KEY] declaration in skills/last30days/SKILL.md is information-only.
• Hermes: HERMES_SETUP.md directs users to manually "Sign up at scrapecreators.com" and set the env var by hand. No mention of setup --github, even though the user almost certainly already has gh auth configured.

This is a wiring gap, not a missing capability. The cost of closing it is moving openclaw and hermes from "report missing key" to "attempt auto-auth, then report only on failure."

What auto should look like

When openclaw or hermes finishes its post-install probe and finds SCRAPECREATORS_API_KEY absent, it should attempt run_github_auth() automatically before falling back to the manual "go to scrapecreators.com" instructions. The successful flow returns an api_key that gets persisted to the agent's config so subsequent runs do not re-prompt.

Acceptance criteria

OpenClaw:

• First-run with gh CLI present and authenticated: ScrapeCreators key is minted via PAT path, persisted, no prompts shown.
• First-run without gh, or with gh auth token failing: fall through to GitHub device flow (already implemented in run_full_device_auth()), display the user_code and verification URL, persist on success.
• Probe output (run_openclaw_setup() JSON) reflects keys.scrapecreators: true after the auto-flow lands.

Hermes:

• sync.sh (or whatever first-run hook fires after git clone) attempts the auto-flow when SCRAPECREATORS_API_KEY is absent.
• HERMES_SETUP.md updated to describe the auto-auth as the default, with manual signup demoted to fallback.

Shared:

• Existing opt-out path or env var (e.g., LAST30DAYS_NO_AUTO_AUTH=1) skips the attempt for users who want to keep the env var blank deliberately. Decision on the exact knob name belongs to the reviewer.
• Minted key is persisted to the agent's config file, not just held in process memory.
• Tests in tests/test_setup_openclaw.py cover the new wiring with mocked gh auth token + mocked ScrapeCreators endpoints.

Why this matters

ScrapeCreators is the gating dependency for TikTok, Instagram, and Reddit-backup sources. Most agents launch with 3+ free sources active and 3+ paid sources dark, even though the user could have minted a key in under five seconds. The auto-flow eliminates the "I forgot to set up that env var" cliff and pulls openclaw and hermes onto parity with the CLI surface that already exists.

Related code

• skills/last30days/scripts/lib/setup_wizard.py:491 - run_github_auth(), the entry point that already does PAT-first with device fallback.
• skills/last30days/scripts/lib/setup_wizard.py:208 - run_openclaw_setup(), where the wiring would land for openclaw.
• skills/last30days/scripts/last30days.py:540-547 - existing CLI surface (setup --openclaw, setup --github, setup --device-auth).
• skills/last30days/SKILL.md (frontmatter) - openclaw metadata block declaring SCRAPECREATORS_API_KEY as required env.
• HERMES_SETUP.md - manual setup doc to update.
• tests/test_setup_openclaw.py - existing test coverage for the auto-flow primitives.

Out of scope

• Changes to run_github_auth() internals or the ScrapeCreators server-side endpoints.
• New providers or sources beyond what already declares SCRAPECREATORS_API_KEY as required.